b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Could Improve Processes for\n       Managing Contractor Systems\n       and Reporting Incidents\n       Report No. 2007-P-00007\n\n       January 11, 2007\n\x0cReport Contributors:\t            Rudolph M. Brevard\n                                 Neven Morcos\n                                 William Coker\n                                 Warren Brooks\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self Evaluation and Remediation Tracking\nCSIRC        Computer Security Incident Response Capability\nEPA          U.S. Environmental Protection Agency\nEPAAR        Environmental Protection Agency Acquisition Regulation\nFISMA        Federal Information Security Management Act\nIRM          Information Resource Management\nISO          Information Security Officer\nOEI          Office of Environmental Information\nOIG          Office of Inspector General\n\x0c                     U.S. Environmental Protection Agency                                                2007-P-00007\n\n                                                                                                      January 11, 2007\n\n                     Office of Inspector General\n\n\n                     At a Glance\n\n                                                                           Catalyst for Improving the Environment\n\nWhy We Did This Audit           EPA Could Improve Processes for Managing \n\nWe sought to determine          Contractor Systems and Reporting Incidents \n\nwhether the U.S.\nEnvironmental Protection         What We Found\nAgency (EPA) defined\nsecurity requirements for       Although EPA had defined the specific requirements for contractor systems, EPA\ncontractor-owned systems        had not established procedures to ensure identification of all contractor systems.\nthat collect data for EPA.      Furthermore, EPA had not ensured that information security requirements were\nWe also sought to determine     accessible by the contractors and appropriately maintained. As a result, EPA\nwhether EPA offices             system inventories may not include all appropriate contractor systems, and its\nidentified and reported all\n                                contractors may not be implementing adequate security safeguards.\ncomputer security-related\nincidents to EPA\xe2\x80\x99s Computer\nSecurity Incident Response      Although EPA offices were aware of the Agency\xe2\x80\x99s computer security incident\nCapability (CSIRC) staff.       response policy, many offices lacked local reporting procedures, had not fully\n                                implemented automated monitoring tools, and did not provide sufficient training on\nBackground                      local procedures. EPA offices also did not have access to network attack trend\n                                information necessary to implement proactive defensive measures. As a result,\nEPA uses contractors to         there was no consistency in how, what, and when EPA offices reported computer\ncollect and process             security incidents. Without all relevant security incident data, EPA may not\ninformation on its behalf.      accurately inform senior Agency officials regarding the performance and security\nAnnually, the contractors       of the Agency\xe2\x80\x99s network.\nreview their systems\xe2\x80\x99\ncompliance with established      What We Recommend\ninformation security\nrequirements and record the\n                                To address weaknesses associated with contractor systems, we recommend that\nresults in EPA\xe2\x80\x99s security\nmonitoring database.            EPA assign duties and responsibilities for maintaining and updating information\nCSIRC defines the formal        posted on EPA\xe2\x80\x99s Website. We also recommend that EPA update its guidance for\nprocess by which EPA            identifying contractor systems. Further, we recommend that EPA establish formal\nresponds to computer            procedures to ensure that all responsible program offices update and maintain their\nsecurity-related incidents      EPA-specific contract clauses on a regular basis.\nsuch as computer viruses,\nunauthorized user activity,     To address the computer security incident reporting weaknesses, we recommend\nand serious software            that EPA update the Agency\xe2\x80\x99s computer security incident guide to cover reporting\nvulnerabilities.                instructions for all locations, establish a target date for when it will configure the\n                                Agency\xe2\x80\x99s anti-virus software to utilize the central reporting feature, train\nFor further information,        Information Security Officers on new procedures, and provide Information Security\ncontact our Office of           Officers with computer security incident reports.\nCongressional and Public\nLiaison at (202) 566-2391.\n                                The Agency generally agreed with our recommendations. In many cases,\nTo view the full report,        management provided milestone dates and planned actions to address the report\xe2\x80\x99s\nclick on the following link:\n                                findings. The Agency\xe2\x80\x99s complete response is included at Appendices A and B.\nwww.epa.gov/oig/reports/2007/\n20070111-2007-P-00007.pdf\n\x0c                        UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                     WASHINGTON, D.C. 20460\n\n\n                                                                                          OFFICE OF\n                                                                                     INSPECTOR GENERAL\n\n\n                                         January 11, 2007\n\nMEMORANDUM\n\nSUBJECT:               EPA Could Improve Processes for Managing\n                       Contractor Systems and Reporting Incidents\n                       Report No. 2007-P-00007\n\nTO:                    Molly A. O\xe2\x80\x99Neill\n                       Assistant Administrator\n                       Office of Environmental Information\n\n                       Luis Luna\n                       Assistant Administrator\n                       Office of Administration and Resources Management\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $466,534.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed upon\nactions, including milestone dates. We have no objections to the further release of this report to\nthe public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Rudolph M. Brevard,\nDirector for Information Resources Management Assessments, at (202) 566-0893 or\nbrevard.rudy@epa.gov.\n\n                                              Sincerely,\n\n\n\n                                              Bill A. Roderick\n                                              Acting Inspector General\n\x0c                               EPA Could Improve Processes for Managing \n\n                               Contractor Systems and Reporting Incidents \n\n\n\n\n\n                                Table of Contents \n\n\nChapters\n 1    Introduction ..........................................................................................................       1     \n\n\n              Purpose ..........................................................................................................    1         \n\n              Background ...................................................................................................        1         \n\n              Scope and Methodology ................................................................................                2         \n\n\n 2    EPA Could Improve Processes for Managing Contractor Systems .................                                                 5\n\n\n              Additional Guidance Needed for Identifying Contractor Systems...................                                      5\n\n              Procedures Needed for Updating EPA-Specific Contract Clauses ................                                         5\n\n              Processes Needed for Maintaining IRM Requirements..................................                                   6\n\n              Recommendations .........................................................................................             6         \n\n              Agency Comments and OIG Evaluation.........................................................                           6\n\n\n 3    EPA Could Improve Its Incident Reporting Processes .....................................                                      7     \n\n\n              EPA Locations Need Local Incident Reporting Procedures ...........................                                    7\n\n              EPA Had Not Fully Implemented Its Centralized Monitoring Software...........                                          8\n\n              EPA Employees Need Training on Local Reporting of Incidents ...................                                       8\n\n              Incident Trend Reports Not Provided to Information Security Officers ..........                                       9\n\n              Recommendations ........................................................................................              9\n\n              Agency Comments and OIG Evaluation.........................................................                           9\n\n\n Status of Recommendations and Potential Monetary Benefits ................................                                        11 \n\n\n\n\nAppendices\n A    Office of Environmental Information Response to Draft Report .....................                                           12\n\n B    Office of Administration and Resources Management\n      Response to Draft Report ....................................................................................                16\n\n C    Distribution ...........................................................................................................     17\n\x0c                                             Chapter 1\n                                              Introduction\n\nPurpose\n                    Our overall objective was to evaluate the implementation and effectiveness of the\n                    U.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) information security practices.\n                    We reviewed EPA\xe2\x80\x99s processes for managing contractor systems and handling\n                    computer security incidents. Specifically, we sought to identify to what extent\n                    EPA has defined security requirements for contractor-owned systems that collect\n                    data on EPA\xe2\x80\x99s behalf.1 We also sought to determine whether EPA program and\n                    regional offices identified and reported all computer security-related incidents to\n                    EPA\xe2\x80\x99s Computer Security Incident Response Capability (CSIRC) staff.\n\nBackground\n                    We performed this audit pursuant to the Federal Information Security\n                    Management Act (FISMA) of 2002. FISMA establishes a framework for\n                    ensuring the effectiveness of EPA\xe2\x80\x99s information security programs. FISMA\n                    requires EPA to implement policies and procedures commensurate with the risk\n                    and magnitude of harm resulting from the malicious or unintentional impairment\n                    of Agency information assets.\n\n                    Contractor Systems\n\n                    EPA uses a variety of contractor support services to operate its information\n                    technology resources. This includes contractors who operate EPA-owned systems\n                    that reside in Government facilities. This also includes contractors who own and\n                    operate systems that collect and process information on EPA\xe2\x80\x99s behalf. To\n                    monitor the contractors\xe2\x80\x99 systems\xe2\x80\x99 compliance with established information\n                    security requirements, EPA requires its contractors to complete an annual self-\n                    assessment for their systems. The self-assessment is intended to identify system\n                    weaknesses and create plans to remediate them. This self-assessment is consistent\n                    with guidance published by the National Institute of Standards and Technology.\n\n                    EPA\xe2\x80\x99s Office of Environmental Information (OEI) is responsible for establishing\n                    the framework in which EPA offices oversee the annual self-assessment. EPA\n                    offices are responsible for ensuring that all of their contractor systems are\n                    identified and the self-assessments are completed. EPA offices record the self-\n                    assessment information in a central database, called the Automated Security Self\n                    Evaluation and Remediation Tracking (ASSERT) database. EPA uses ASSERT\n\n1\n    Throughout this report, we refer to contractor-owned systems with EPA data as \xe2\x80\x9ccontractor systems.\xe2\x80\x9d\n\n\n                                                          1\n\n\x0c         to report the status of its information security program to the Office of\n         Management and Budget (OMB). Therefore, it is essential that all contractor\n         systems are identified and results recorded in ASSERT.\n\n         The Office of Acquisition Management is responsible for overseeing EPA\xe2\x80\x99s\n         contracting processes. This includes establishing a process to ensure that EPA\n         Acquisition Regulation (EPAAR) clauses are updated. EPA offices are\n         responsible for updating their offices\xe2\x80\x99 EPAAR clause. EPA offices are also\n         responsible for ensuring information referenced in EPAAR clauses is current.\n         OEI informs contractors about EPA-specific information system security\n         requirements through an EPAAR clause. The EPAAR directs contractors to an\n         EPA Website that contains applicable Agency security requirements. As such, it\n         is vital that the information be accurate and accessible so EPA contractors can\n         implement the necessary controls to protect the data processed on EPA\xe2\x80\x99s behalf.\n\n         Incident Reporting\n\n         EPA\xe2\x80\x99s CSIRC staff manages the computer security incident reporting process.\n         CSIRC defines the formal process by which EPA responds to computer security-\n         related incidents such as computer viruses, unauthorized user activity, and serious\n         software vulnerabilities. CSIRC facilitates the centralized reporting of incidents\n         and provides support to help EPA Information Security Officers (ISOs). OMB\n         and the National Institute of Standards and Technology provide guidelines for the\n         sharing and timely reporting of computer security incidents. Other Federal\n         guidance requires organizations to provide personnel with initial and annual\n         refresher training on computer security. This training includes training personnel\n         on computer security incident handling.\n\n         EPA developed the following policies to guide the Agency\xe2\x80\x99s computer security\n         incident reporting processes:\n\n            \xe2\x80\xa2\t EPA Order 2195.1 A4 - Directs that the ISO is the primary point of\n               contact for all security incidents. In addition, it directs the ISO to\n               document and retain records of computer security incidents.\n\n            \xe2\x80\xa2\t EPA Directive 200.06 - Provides the framework for EPA\xe2\x80\x99s computer\n               security incident reporting program. It requires the ISO to develop,\n               maintain, and publish local computer security incidents procedures.\n\n            \xe2\x80\xa2\t The ISO Handbook - Directs EPA personnel to follow local procedures\n               to report computer security incidents.\n\nScope and Methodology\n         We performed our audit in accordance with Government Auditing Standards,\n         issued by the Comptroller General of the United States. We conducted field work\n\n\n                                          2\n\n\x0cfrom March 2006 until June 2006. We conducted site visits in EPA Regions 1, 2,\nand 3. We also conducted teleconferences with EPA Regions 5 and 8 and held\nmeetings with representatives from EPA\xe2\x80\x99s Office of Water and Office of Air and\nRadiation, located in Washington, DC.\n\nWe conducted a survey to obtain preliminary information on program and\nregional offices\xe2\x80\x99 processes regarding contractor systems and computer security\nincident reporting. To obtain an understanding of EPA\xe2\x80\x99s management control\nprocesses for contractor systems and computer security incident reporting, we\ncollected documentation, interviewed personnel, and reviewed EPA\xe2\x80\x99s\nimplementation of management controls over these two areas. EPA has not\nconducted management reviews of its processes to identify contractor systems.\nEPA had conducted a review of its incident handling processes and we collected\nand analyzed management\xe2\x80\x99s evaluation of its processes. We collected\ninformation on the number of contractor systems, establishment of incident\nhandling procedures, and the number of incidents reported to the Agency\xe2\x80\x99s central\nincident collection center.\n\nWe spoke with representatives from OEI, responsible for overseeing the Agency\xe2\x80\x99s\ninformation security processes, and EPA\xe2\x80\x99s Office of Acquisition Management\nwithin the Office of Administration and Resources Management, responsible for\noverseeing the Agency\xe2\x80\x99s acquisition processes. We also spoke with EPA\ncontractors and employees responsible for monitoring EPA\xe2\x80\x99s contractor systems\nand following EPA\xe2\x80\x99s computer security incident reporting policies and\nprocedures.\n\nWe conducted a survey with all EPA offices and did the following analyses:\n\n   \xe2\x80\xa2\t To identify contractor systems - We developed a definition of contractor\n      systems with the assistance of OEI. The definition contained elements\n      that described contractor-owned systems, located outside of a Government\n      facility, used to collect information on EPA\xe2\x80\x99s behalf. We collected\n      information regarding whether the location categorized the sensitivity of\n      the data. We collected and reviewed contractor oversight policies and\n      procedures. We conducted followup interviews with respective offices\n      and research within EPA\xe2\x80\x99s intranet to validate the survey results.\n\n   \xe2\x80\xa2\t To select locations to visit regarding computer security incidents -\n      Each location provided us the number of computer security incidents that\n      occurred from September 1, 2005, through February 14, 2006. We\n      compared the results to a CSIRC report that identified the number of\n      computer security incidents each location reported to CSIRC for the same\n      period. We used the information to select a judgmental sample of 14\n      locations. The sample included locations whose results matched the\n      CSIRC report and those that did not. We conducted site visits and\n      telephone conferences with the selected locations. We met with the site\xe2\x80\x99s\n\n\n\n                                3\n\n\x0c       primary ISO, helpdesk personnel, network managers, and EPA employees\n       and contractors.\n\n   \xe2\x80\xa2\t To determine whether a location complied with EPA\xe2\x80\x99s incident\n      reporting procedures - We considered the site compliant with EPA\xe2\x80\x99s\n      policy if the location formally documented the procedures in either a\n      policy document or the location\xe2\x80\x99s security plan.\n\nThere were no significant audits or recommendations to follow up on during this\naudit.\n\n\n\n\n                                4\n\n\x0c                                 Chapter 2\n      EPA Could Improve Processes for Managing\n                 Contractor Systems\n\n          EPA could improve its practices for managing contractor compliance with Federal\n          and EPA system security requirements. EPA established the ASSERT database to\n          track EPA systems, their security weaknesses, and the status of remediation plans.\n          However, EPA did not define how EPA offices should identify contractor systems\n          or ensure these systems\xe2\x80\x99 vulnerabilities were consistently tracked through\n          ASSERT. In addition, EPA had not established processes for maintaining its\n          EPA-specific contract clauses and Information Resources Management (IRM)\n          requirements. As a result, EPA had not identified all of its contractor systems.\n          Additionally, EPA has no assurance that its contractors identified their systems\xe2\x80\x99\n          vulnerabilities and implemented appropriate security controls, or that they were\n          promptly informed of their contractual obligations when EPA-specific\n          information security requirements changed.\n\nAdditional Guidance Needed for Identifying Contractor Systems\n          EPA\xe2\x80\x99s method for identifying contractor systems does not consider the type and\n          sensitivity of the data needing protection. Instead, EPA\xe2\x80\x99s current guidance for\n          identifying contractor systems only considers whether a contractor system is\n          co-located at an EPA facility or connected to EPA\xe2\x80\x99s network infrastructure. Since\n          some contractor systems do not reside at an EPA location or connect to EPA\xe2\x80\x99s\n          network, offices did not identify these systems for routine assessment of security\n          controls. As a result, EPA offices do not know whether the contractors are\n          knowledgeable of Agency-specific information security requirements or whether\n          the contractor applied the security controls necessary to protect the data it collects\n          on EPA\xe2\x80\x99s behalf.\n\n          We developed a \xe2\x80\x9climited\xe2\x80\x9d definition of contractor systems that contained EPA\n          data. We included this definition in a survey sent to all EPA offices. All EPA\n          office responded to our survey. The results identified four additional contractor\n          systems that were not included in ASSERT. We provided the results to OEI and\n          the office took immediate action to recognize the systems in the Agency\xe2\x80\x99s system\n          inventory.\n\nProcedures Needed for Updating EPA-Specific Contract Clauses\n          The Office of Acquisition Management (OAM) had not established formal\n          procedures to ensure responsible EPA offices regularly review and update their\n          EPA-specific contract clauses (EPAAR clause). Instead, OAM uses an informal\n\n\n                                            5\n\n\x0c         process to notify offices when to update their clause. The informal approach\n         creates a security risk because contractors may not receive timely guidance and\n         instructions about new security requirements. For instance, we discovered the\n         existing EPAAR clause on information security directed contractors to an\n         inoperable EPA Website. As a result, contractors did not have access to the latest\n         guidance for system security requirements. Upon bringing this weakness to the\n         Agency\xe2\x80\x99s attention, EPA took immediate action to activate the Website.\n\nProcesses Needed for Maintaining IRM Requirements\n         Although OEI chartered a workgroup to maintain IRM policies, OEI has not\n         formally assigned duties and responsibilities for maintaining the policy guidance.\n         Further, OEI has not developed and implemented a process to ensure that IRM\n         policy posted for contractor use is current, accurate, and complete. Without up-\n         to-date policy, contractors cannot adhere to the latest security requirements.\n         While OEI has made progress in implementing processes to manage the IRM\n         Website content, OEI personnel agreed that further progress is needed to fulfill its\n         responsibilities.\n\nRecommendations\n         We recommend that the Assistant Administrator for Environmental Information:\n\n          2-1 \t Develop and implement guidance that EPA offices can use to identify\n                contractor systems that contain EPA data.\n\n          2-2 \t Assign duties and responsibilities to internal offices for maintaining the\n                IRM requirements posted on the EPA Website available to contractors.\n\n         We recommend that the Assistant Administrator for Administration and\n         Resources Management, through its Office of Acquisition Management:\n\n          2-3 \t Establish formal procedures to ensure all responsible program offices\n                update and maintain applicable EPA-specific contract clauses on a regular\n                basis.\n\nAgency Comments and OIG Evaluation\n\n         The Agency concurred with the findings and provided descriptions of planned\n         actions, including milestone dates, for addressing the recommendations.\n\n\n\n\n                                          6\n\n\x0c                                 Chapter 3\n EPA Could Improve Its Incident Reporting Processes\n\n          Although EPA locations were aware of the Agency\xe2\x80\x99s computer security incident\n          reporting process, not all locations reported computer security incidents to the\n          Agency\xe2\x80\x99s CSIRC staff in a timely manner. This occurred because:\n\n             \xe2\x80\xa2\t EPA offices lacked local procedures for reporting incidents,\n             \xe2\x80\xa2\t EPA had not fully implemented automated tools to monitor Agency\n                network resources for security incidents,\n             \xe2\x80\xa2\t EPA did not provide sufficient training to its employees on their\n                responsibilities and local procedures, and\n             \xe2\x80\xa2\t EPA did not share information on network attack trends.\n\n          As a result, EPA offices are not consistent in what, when, and how they report\n          security incidents to CSIRC. EPA needs to consider all relevant security incident\n          data to assess vulnerabilities, identify attack trends, and contain security threats.\n          Without all relevant security incident data, CSIRC personnel cannot promptly\n          respond to and contain security threats before they potentially affect wider\n          portions of the Agency\xe2\x80\x99s network.\n\nEPA Locations Need Local Incident Reporting Procedures\n\n          Although required by EPA Directive 200.06, Computer Security Incident\n          Response, only 29 percent (4 of 14) of the sampled locations developed local\n          incident handling procedures. Our fieldwork identified several weaknesses that\n          contribute to sites inconsistently reporting security incidents within their locations\n          and subsequently to the CSIRC. For example:\n\n             \xe2\x80\xa2\t Although some sites established informal procedures for reporting\n                incidents, we found that the sites did not always follow these processes\n                and did not keep records of incidents.\n\n             \xe2\x80\xa2\t Several sites did not create local procedures because EPA\xe2\x80\x99s policy did not\n                provide enough guidance to assist them in developing procedures. The\n                sites also indicated that they needed additional assistance from the Agency\n                to improve their processes.\n             \xe2\x80\xa2\t One office with eight geographically dispersed offices under its purview\n                did not have standardized procedures to identify and report computer\n                security incidents.\n             \xe2\x80\xa2\t Two offices indicated that users often contacted the local system\n                administrator or ISO directly for faster assistance. In doing so, these\n\n\n                                            7\n\n\x0c                 offices bypassed the established call centers responsible for receiving\n                 reports about potential computer problems. We found that when the call\n                 center is by-passed, the ISO might not contact the call center to ensure a\n                 record was kept of the incident.\n\n          Without local procedures for reporting computer security incidents, CSIRC and\n          EPA may not have all the information necessary to adequately protect information\n          assets and respond to actual and potential incidents.\n\nEPA Had Not Fully Implemented Its Centralized Monitoring Software\n          EPA\xe2\x80\x99s Office of Technology Operations and Planning specified that all Agency\n          locations must configure their anti-virus software to utilize the centralized\n          monitoring feature. During our fieldwork, several locations had not yet\n          configured their anti-virus software to use the feature. The centralized monitoring\n          feature allows all recognized instances of computer security attacks to be reported\n          and collected at one location for analysis. However, EPA\xe2\x80\x99s CSIRC does not have\n          the capability to determine which locations have properly configured their\n          software for centralized monitoring.\n\n          Further, EPA did not maximize the use of its centralized monitoring software\n          because it did not establish a deadline for locations to upgrade to the latest version\n          of anti-virus software. EPA approved several versions of the anti-virus software\n          for use within the Agency. By utilizing the latest version, the CSIRC would have\n          more readily available information about the different types of computer attacks\n          across the Agency. EPA allows each location to implement the software upgrade\n          because each location maintains its own desktop support. However, EPA does\n          not monitor how quickly the software upgrade occurs. The current situation\n          compromises the effectiveness of EPA\xe2\x80\x99s computer security incident capability, as\n          well as the Agency\xe2\x80\x99s ability to control the availability and integrity of its network.\n\nEPA Employees Need Training on Local Reporting of Incidents\n          Most locations rely on the Agency\xe2\x80\x99s annual security awareness training to inform\n          employees about reporting computer security incidents. Our review disclosed that\n          EPA\xe2\x80\x99s annual security awareness training lacked specific local training\n          procedures. While the training provided general information regarding how to\n          recognize a computer security attack, the training did not provide information on\n          how and where to report these security incidents and what information should be\n          reported. Additionally, the training was inconsistent about whom an employee\n          should contact. For instance, one section of the training program informs the\n          employee to report threats to the immediate supervisor; yet, in another section, the\n          training instructs the employee to notify local computer security personnel.\n          Subsequent to audit fieldwork, EPA implemented new annual security awareness\n          training. However, the training is not specific enough to prescribe how computer\n          security incident reporting should take place locally.\n\n\n                                            8\n\n\x0cIncident Trend Reports Not Provided to Information Security Officers\n          Although CSIRC distributes weekly management and quarterly trend analysis\n          reports to EPA\xe2\x80\x99s Office of Technology Operations and Planning, CSIRC does not\n          share this information with the local ISOs. The reports reflect all computer\n          security activity across the EPA network. During fieldwork, several ISOs\n          indicated that these reports would assist them in proactively monitoring their\n          networks and implementing risk mitigation practices. Further, sharing\n          information with all individuals involved with protecting network resources\n          strengthens EPA\xe2\x80\x99s proactive and agile computer security response capability.\n          With trend information, network managers can implement security measures that\n          could ultimately reduce the number of successful attacks on EPA\xe2\x80\x99s network.\n\nRecommendations\n         We recommend that the Assistant Administrator for Environmental Information,\n         through its Office of Technology Operations and Planning:\n\n          3-1 \t Collect and analyze the Agency\xe2\x80\x99s local computer security incident reporting\n                procedures to ensure compliance with established Agency policies. If\n                necessary, update the CSIRC guidance accordingly.\n\n          3-2 \t Establish a target date when all EPA locations will implement the latest anti\n                virus software and configure the software to use centralized monitoring.\n\n          3-3 \t Develop and implement a strategy to train ISOs on any updates to the\n                CSIRC guide.\n\n          3-4 \t Provide local ISOs and responsible information technology personnel with\n                trend analysis reports on computer security incidents.\n\nAgency Comments and OIG Evaluation\n          EPA generally agreed with the report\xe2\x80\x99s findings. OEI disagreed with our\n          recommendation to update the CSIRC guidance because management felt the\n          guide provides detailed information on proper reporting, prioritization, and\n          escalation of security incidents. Although the CSIRC guide provides detailed\n          information, the guide does not provide the specificity needed to address local\n          operating needs. Given the high number of locations without local computer\n          security incident reporting procedures, EPA should conduct an analysis of the\n          Agency\xe2\x80\x99s local incident reporting practices to identify instances where the\n          Agency could improve its incident reporting processes and, if necessary, update\n          the CSIRC guidance accordingly. We modified the recommendation accordingly.\n\n\n\n\n                                            9\n\n\x0cOEI indicated that it could not corroborate evidence that the ISO community lack\nan understanding of the Agency\xe2\x80\x99s incident reporting policies. Although EPA\nlocations were aware of the Agency\xe2\x80\x99s incident reporting policies, our site visits\nand interviews determined that many of the locations did not institute\nmanagement control processes to enforce the Agency\xe2\x80\x99s policies. As such, several\nweaknesses existed that contributed to sites inconsistently reporting security\nincidents within their locations and subsequently to the CSIRC. OEI also\nindicated the report misstated the CSIRC\xe2\x80\x99s responsibilities for deploying and\nfollowing up on the anti-virus software implementation. We modified the report\nto address the Agency\xe2\x80\x99s concerns.\n\n\n\n\n                                10\n\n\x0c                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n                                                                                                                                   POTENTIAL MONETARY\n                                                     RECOMMENDATIONS                                                                BENEFITS (in $000s)\n\n                                                                                                                      Planned\n    Rec.    Page                                                                                                     Completion    Claimed    Agreed To\n    No.      No.                          Subject                            Status1        Action Official             Date       Amount      Amount\n\n    2-1       6     Develop and implement guidance that EPA offices            O       Assistant Administrator for    9/18/08         0\n                    can use to identify appropriate contractor systems                 Environmental Information\n                    that contain EPA data.\n\n    2-2       6     Assign duties and responsibilities to internal offices     O       Assistant Administrator for      TBD           0\n                    for maintaining the IRM requirements posted on the                 Environmental Information\n                    EPA Website available to contractors.\n    2-3       6     Establish formal procedures to ensure all                  O       Assistant Administrator for   3rd Quarter      0\n                    responsible program offices update and maintain                       Administration and         Fiscal Year\n                    applicable EPA-specific contract clauses on a                             Resources                  2007\n                    regular basis.                                                       Management/Office of\n                                                                                        Acquisition Management\n\n    3-1       9     Collect and analyze the Agency\xe2\x80\x99s local computer            U       Assistant Administrator for                    0\n                    security incident reporting procedures to ensure                   Environmental Information/\n                    compliance with established Agency policies. If                      Office of Technology\n                    necessary, update the CSIRC guidance                                Operations and Planning\n                    accordingly.\n\n    3-2       9     Establish a target date when all EPA locations will        O       Assistant Administrator for    2/27/07         0\n                    implement the latest anti-virus software and                       Environmental Information/\n                    configure the software to use centralized                            Office of Technology\n                    monitoring.                                                         Operations and Planning\n\n    3-3       9     Develop and implement a strategy to train ISOs on          O       Assistant Administrator for      TBD           0\n                    any updates to the CSIRC guide.                                    Environmental Information\n                                                                                         Office of Technology\n                                                                                       Operations and Planning\n\n    3-4       9     Provide local ISOs and responsible information             O       Assistant Administrator for      TBD           0\n                    technology personnel with trend analysis reports on                Environmental Information/\n                    computer security incidents.                                         Office of Technology\n                                                                                        Operations and Planning\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                   11\n\n\x0c                                                                                  Appendix A\n\n                Office of Environmental Information \n\n                     Response to Draft Report \n\n\n                                      November 30, 2006\n\nMEMORANDUM\n\nSUBJECT:      OEI Response to the Draft Audit Report: EPA Could Improve Processes\n              for Managing Contractor Systems and Reporting Incidents, Assignment\n              No. 2006-000068\n\nFROM:         Linda A. Travers\n              Acting Assistant Administrator and Chief Information Officer\n\nTO:           Rudolph M. Brevard\n              Director, Information Technology Audits\n              Office of Inspector General\n\n        Thank you for the opportunity to respond to the Draft Audit Report: EPA Could Improve\nProcesses for Managing Contractor Systems and Reporting Incidents. We appreciate your efforts\nto hold informational meetings to ensure clarity of your findings and allow for early review of\nyour recommendations.\n\n       The attachment provides corrections to factual errors noted in the Audit Findings and\nOEI responses to the specific recommendations for the Office of Technology Operations and\nPlanning (OTOP). Please contact Marian Cody, Director of the Technology and Information\nSecurity Staff, at 202-566-0302 if you have any questions or need additional information\n\ncc:    \tMyra Galbreath\n       Marian Cody\n       Karen Maher\n\nAttachment\n\n\n\n\n                                               12\n\n\x0c                       OEI Comments on Draft Audit Report:\n  EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents\n                            Assignment No. 2006-000068\n\n       OEI noted factual errors in the Audit Findings. The factual errors involve the validity of\nthe Audit\xe2\x80\x99s findings that EPA offices are unfamiliar with the Agency\xe2\x80\x99s Computer Security\nIncident Response Capability (CSIRC) and confusion about CSIRC\xe2\x80\x99s roles and responsibilities.\n\n         Pertaining to the first issue, OEI did not find corroborating evidence indicating a lack of\nunderstanding in the EPA general community about computer security incident response\nprocedures in either the Office of Inspector General\xe2\x80\x99s (OIG) February data collection or in the\nOIG\xe2\x80\x99s detailed back-up data about incidents. In the February data collection, most respondents\nanswered the incident response questions as they applied to any contractor sites identified in the\nfirst half of the questionnaire, not as they pertained to their own organization. Nor could OEI\ndiscern any evidence of a lack of understanding about incident response procedures in the OIG\xe2\x80\x99s\ndetailed back-up data about incidents. While OEI accepts that there probably can never be\nenough training and communication, we do not accept that the data collected offers clear\nevidence that EPA lacks policies and procedures for reporting incidents or that EPA offices do\nnot know how, what, or when security incident information should be reported.\n\n        Our second area of concern is the OIG\xe2\x80\x99s confusion about CSIRC\xe2\x80\x99s roles and\nresponsibilities. The Audit Report assigns CSIRC roles and responsibilities for anti-virus. The\nAgency\xe2\x80\x99s Anti-Virus program is managed by the Network Infrastructure Services (NIS) and it is\nthis organization which has responsibility for deploying and following up on implementation of\nanti-virus software.\n\n\n\n\n                                                 13\n\n\x0c                       OEI Comments on Draft Audit Report:\n  EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents\n                            Assignment No. 2006-000068\n\nREC.   RECOMMENDATION          ACCEPT/    ACTION          COMMENT\nNO.                            DISAGREE   PLAN\n2-1    Develop and             Accept     Update of\n       implement guidance                 the\n       that EPA offices can               Information\n       use to identify                    Security\n       appropriate                        Manual.\n       contractor systems                 Completion\n       that contain EPA                   date:\n       data.                              9/18/2008\n                                          ASSERT\n                                          Task ID\n                                          105647\n2-2    Assign duties and       Accept     To Be\n       responsibilities to                Determined\n       internal offices for               (TBD)\n       maintaining the\n       IRM requirements\n       posted on the EPA\n       Website available to\n       contractors\n3-1    Update the CSIRC        Disagree                   OEI has instructions in the current \xe2\x80\x9cAgency Guidance to Incident\n       guide to include                                   Handling and Information Security Officer Handbook\xe2\x80\x9d.\n       specific instructions                              http://intranet.epa.gov/otop/security/CSIRC/CSIRC_Handbook.doc\n       for reporting\n       computer security                                  The \xe2\x80\x9cAgency Guidance to Incident Handling and Information\n       incidents at EPA                                   Security Officer Handbook\xe2\x80\x9d provides detailed information for\n       locations. The                                     Information Security Officers (ISOs) on the proper reporting,\n       updated guide                                      prioritization, and escalation of security incidents. The handbook\n       should include                                     provides specific instructions on incident types, incident reporting,\n       specific instructions                              information flows, and specific actions to take during an incident\n       for prioritizing                                   that EPA locations could use to train employees\n       security incidents\n       and escalating the\n       notification of\n       security incidents\n       within a location.\n       The guide should\n       also include\n       instructions that\n       EPA locations could\n       use to train\n       employees on the\n       local procedures for\n       reporting computer\n       security incidents.\n3-2    Establish a target      Accept     Completion\n       date when all EPA                  date:\n       locations will                     February\n       implement the latest               27, 2007\n\n\n                                                        14\n\n\x0cREC.   RECOMMENDATION         ACCEPT/    ACTION     COMMENT\nNO.                           DISAGREE   PLAN\n       anti-virus software\n       and configure the\n       software to use\n       centralized\n       monitoring.\n3-3    Develop and            Accept     TBD        While OTOP accepts this recommendation because training is\n       implement a                                  always a good idea, CSIRC has provided training for the past three\n       strategy to train                            years to EPA ISOs through monthly teleconferences and at the\n       ISOs on the updated                          yearly IT Security and Operations Conference. OTOP, however,\n       CSIRC guide.                                 will enhance its training strategy to include:\n                                                      - training at the annual Office of Environmental Information\n                                                          (OEI) National Symposium and IT Security and Operations\n                                                          Conference\n                                                      - daily interaction with ISO\xe2\x80\x99s on specific incidents\n                                                      - updating EPA's annual Information Security Awareness\n                                                          training to focus on the roles and responsibilities of all\n                                                          employees pertaining to incident reporting, escalation and\n                                                          prioritization.\n3-4    Provide local ISOs     Accept     TBD        CSIRC creates quarterly trend reports for EPA Management.\n       and responsible                              Historically, these reports were provided to Technical Information\n       information                                  Security Staff (TISS) for review and distribution. Effective\n       technology                                   immediately, these reports will be provided to the ISO community\n       personnel with trend                         following National Computer Center (NCC) Management review.\n       analysis reports on\n       computer security\n       incidents.\n\n\n\n\n                                                  15\n\n\x0c                                                                                    Appendix B\n\n Office of Administration and Resources Management\n              Response to Draft Report\n\n                                       December 15, 2006\n\nMEMORANDUM\n\nSUBJECT:\t Draft Report, EPA Could Improve Processes for Managing Contractor Systems\n          and Reporting Incidents \xe2\x80\x93 Assignment No. 2006-000068\n\nFROM: \t        Luis A. Luna, Assistant Administrator\n               Office of Administration and Resources Management\n\nTO: \t          Rudolph M. Brevard, Director\n               Information Resources Management Assessments\n\n\n        This is in response to the subject draft report dated October 31, 2006. Specifically, this\nmemorandum addresses recommendation 2-3 of the report which states that the Office of\nAcquisition Management (OAM) \xe2\x80\x9cestablish formal procedures to ensure all responsible program\noffices update and maintain applicable EPA-specific contract clauses on a regular basis.\xe2\x80\x9d\n\n        OAM will periodically request that program offices review EPA-specific contract clauses\nfor any needed updates and/or maintenance. This will be done both in writing (through OAM\nNews Flash Notices), and verbally (through the Contracts Customer Relations Counsel and other\nforums with our customers). The Service Center Manager of the Acquisition Policy and\nTraining Service Center within OAM, will be established as the point of contact for the receipt of\nthis information from program offices. This initiative will be implemented beginning in the third\nquarter of FY 2007.\n\n         If your staff has any questions, please contact Larry Wyborski at (202) 564-4369. If I can\nassist in any way, please call me on 564-4600.\n\n\n\n\n                                                16\n\n\x0c                                                                                Appendix C\n\n                                   Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information\nAssistant Administrator for Administration and Resources Management\nDirector, Technology and Information Security Staff\nDirector, Acquisition Management\nAudit Followup Coordinator, Office of Environmental Information\nAudit Followup Coordinator, Office of Administration and Resources Management\nAudit Followup Coordinator, Technology and Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\n\n\n\n                                           17\n\n\x0c"